Archangel
Last updated
Last updated
First let's scan the machine for open ports. I usually do this with nmap You need to run this command as root.
This will take a while so I use rustscan to make a quick scan.
Found a domain -> mafialive.thm
If you solve the requirements in order this machine is quite easy to solve. Let's change the /etc/hosts file and add our domain.
Next step I enumerate the domain that I found using dirsearch and feroxbuster. Also I do a subdomain enumeration using wfuzz.
As I said all you need to do is to enumerate in the order that the req are asking you. So if you access test.php and try some LFI payloads you will get some answers.
Now let's get access using some LFI2RCE techniques, but first I will restart the machine because with fuzzing I generate a lot of logs and the content is to large and I like it to be easy to read.
So it is about user-agent. Let's exploit this by inject a payload in the user-agent.
After this go to website and refresh the page with logs and you will get a reverse shell. Don't forget to open a listener. I don't put the flags here, try to do the machine on your own.
After some minutes of enumeration I found an interesting file in /opt directory. This file can modified by everyone and also it is executed every minute by archangel user.
As you see I try some payload, but the last one worked and now I am archangel user. Now lets get root privilege.
After a while I get root access. I found an ELF file (backup). Analyze this file and you will see that executes the following command.
Cp command is executed without absolute path (/bin/cp), so you can exploit this. Make an executable file named cp in home directory of archangel and change the path variable and you will get root access.
